17 September 2018

Windows Buffer Overflow Example

I’m
learning these days how to exploit Buffer
Overflow Vulnerabilities and
how to find this kind of vulnerabilities. I think the best way to
learn about Buffer Overflow is exploiting these vulnerabilities in a
laboratory by ourself. Therefore, I’ve installed a vulnerable
server in a Windows machine along with Immunity Debugger and Mona
tools. I’ve also installed a Kali Linux machine, which has been the
attacker machine. This is the laboratory I’ve deployed to test a
simple buffer overflow vulnerability that you can check in the next
video.

Firstly,
I've scanned the vulnerable server with the Nmap tool to know whether
POP3 service is open. I’ve also tested a
simple script to send 3000 ‘A’s to the vulnerable server. We can
see the program crashes and ESP registry contains many ‘A’s or
‘41’ in hex. However, we have to find the specific EIP memory
location thus I’ve created a unique string which is sent to the
vulnerable server through the malicious script. Once I’ve
controlled the EIP registry, we have to
know which bytes cause problems within the
vulnerable server such as truncation with bad characters
\x00\x0a\x0d. The next challenge is to locate a JMP ESP instruction
into the memoryto
insert it into the EIP register. Finally, I’ve created a payload
with the msfvenom
tool to add it into the script, which give
us a Windows reverse shell.

Regards my
friends. This has been an amazing demo to know how Buffer Overflow
works. I recommend you do it by yourself.